Select Page

Got hacked…

 Everything has started with an email

From: Enrique MONTECRISTO ([email protected])
Sent: Mon 6/18/07 10:04 PM
To: [email protected]
Hello Cedric,
When I browse your website with Firefox, I get this kind of warning from my GDATA antivirus shield :
Virus: Trojan-Downloader.VBS.Agent.u
Virus: Trojan-Downloader.JS.Agent.fq
Is it a fake ?

The "virus" Trojan-Downloader.JS. seems like a malicious javascript inline somewhere in my homepage
Thanks to Firefox WebDeveloper toolbar, it was quite easy to locate the malicious script (View all javascript)

The Hacker was inserting 2 strange line in my content. He has tampered:

// displays queries performed for page
if ($mosConfig_debug) {
    echo $database->_ticker . ' queries executed';
    echo '<pre>';
    foreach ($database->_log as $k=>$sql) {
        echo $k+1 . "\n" . $sql . '<hr />';
    echo '</pre>';

<iframe width=’1′ height=’1′ border=’0′ frameborder=’0′ src=’′></iframe>

AND /index2.php

<html xmlns="">
            <?php echo $mainframe->getHead(); ?>
            <link rel="stylesheet" href="templates/<?php echo $cur_template;?>/css/template_css.css" type="text/css" />
            <link rel="shortcut icon" href="<?php echo $mosConfig_live_site; ?>/images/favicon.ico" />
            <meta http-equiv="Content-Type" content="text/html; <?php echo _ISO; ?>" />
            <meta name="robots" content="noindex, nofollow" />
            <?php if ($my->id || $mainframe->get( 'joomlaJavascript' )) { ?>
            <script language="JavaScript" src="<?php echo $mosConfig_live_site;?>/includes/js/joomla.javascript.js" type="text/javascript"></script>
            <?php } ?>
        <body class="contentpane">
           <iframe width='1' height='1' border='0' frameborder='0' src=''></iframe>
            <?php mosMainBody(); ?>

Which got replace at runtime with  I dont want to make publicity to this hacker by publishing his server url here

How to find all place potentialy infected?

return a list of all files with path (-H) that contains the substring xxxxx

# find . -type f  -exec grep -H xxxxx {} \;

How did I get infected?

It seems that the hacker has use my demo site at to copy an image on the server or replace an existing one which was having bad user rights
It may be an image like this one runme.php.jpg  this image then bootstrap and load a hacker tool c99shell (also known as PHP/C99Shell.A or Backdoor.PHP.C99Shell.c)

PHP/C99Shell-A is a backdoor Trojan for platforms with PHP support, such as web servers. PHP/C99Shell-A listens for commands from a remote user.

How to avoid that next time

No file in apache root must have more than r–r–r– rights so here is a small scripts that you can crontab or save for periodically check. It automatically change all files to read only for all, group and other

# find . -type f -perm 600 -exec chmod ago=r {} \;

Joomla! is automating during file save the CHMOD, but not on all files in the structure.

Avoid any files with setguid in your apache root
# find . -type f -perm 600 -exec chmod ago=r {} \;


About The Author

Cédric Walter

I worked with various Insurances companies across Switzerland on online applications handling billion premium volumes. I love to continuously spark my creativity in many different and challenging open-source projects fueled by my great passion for innovation and blockchain technology.In my technical role as a senior software engineer and Blockchain consultant, I help to define and implement innovative solutions in the scope of both blockchain and traditional products, solutions, and services. I can support the full spectrum of software development activities, starting from analyzing ideas and business cases and up to the production deployment of the solutions.I'm the Founder and CEO of Disruptr GmbH.